I found that the I'm getting a 403 because TomEERealm.hasResourcePermission() compares my logged in role (Administrator) with the only security constraint that it has within its context (which is 'default'). I would have assumed that somehow the @DeclareRoles(value = {"Administrator"}) would have also added a security constraint for 'Administrator'. But since only 'default' exists, the method returns false for hasRole().
RealmBase.hasResourcePermission() (base class of TomEERealm) - roles == [default] - principle == GenericPrincipal[tomee(Administrator,)] for (int j = 0; j < roles. length; j++) { if (hasRole( null, principal, roles[j])) { status = true ; if ( log .isDebugEnabled() ) log .debug( "Role found: " + roles[j]); } else if ( log.isDebugEnabled() ) log .debug( "No role found: " + roles[j]); } I then took a look to see how the security constraints are built. Below is the only reference I see to adding security roles (and is where the 'default' is coming from): TomcatWsRegistry.createNewContext(ClassLoader, String, String, String, String) SecurityConstraint sc = new SecurityConstraint(); sc.addAuthRole( "*" ); sc.addCollection(collection); sc.setAuthConstraint( true ); sc.setUserConstraint(transportGuarantee); context.addConstraint(sc); context. addSecurityRole( "default"); Could this have something to do with me deploying my webservice as a jar (and not within a war - defining constraints within web.xml)? How else would the WS's declared roles be added? -- View this message in context: http://openejb.979440.n4.nabble.com/webservice-security-basic-auth-tp4662743p4662820.html Sent from the OpenEJB User mailing list archive at Nabble.com.